Recommended Posts

I just visit China's website to download a pdf file. My computer is corrupted. Excel and word files are ended with .roauwhd

How to clean? Please help.

Also my every directory is added a file named README in txt file, showing as following.

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
====================================================================================================
Your files are NOT damaged! Your files are modified only. This modification is reversible.

The only 1 way to decrypt your files is to receive the private key and decryption program.

Any attempts to restore your files with the third party software will be fatal for your files!
====================================================================================================
To receive the private key and decryption program follow the instructions below:

Note! This page is available via "Tor Browser" only.
====================================================================================================
Also you can use temporary addresses on your personal page without using "Tor Browser":

Share this post

Link to post

Share on other sites

It should be ransomware instructions which are detected. The last variant of Magniber was seen about 10 days ago. If you've got infected recently, it should be due to having outdated modules or disabled protection (e.g. if an attacker logged in via RDP and disabled the av). However, without further logs it's impossible to tell how the infection occurred.

As far as hxxp://katfile.com goes, 2 suspicious and 1 potentially suspicious file found. The two suspicious files indicate monitoring of Google activities which one would expect by the Chinese government. The potential suspicious file is most interesting in that it contains suspect javascript code as shown by the below screen shots.

JavaScript code definitely looks obfuscated to me. Now if you would have upgraded to Win 10, Eset could employ AMSI to decode this script prior to memory execution.

Share this post

Link to post

Share on other sites

I will also note that if you are using IE11 as your browser, make sure it is fully patched by applying all Win Updates. This Cerber ransomware variant is known to exploit an IE11 2017 discovered vulnerability.